Campus Information Technology Security Policy

On This Page

Introduction

In order to fulfill its mission of teaching, research and public service, the campus is committed to providing a secure yet open network that protects the integrity and confidentiality of information while maintaining its accessibility.

Policy

Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities.

Roles and Responsibilities

Responsibilities range in scope from security controls administration for a large system to the protection of one's own access password. A particular individual often has more than one role.

Insufficient security measures at any level may cause resources to be damaged, stolen, or become a liability to the campus. Therefore, responsive actions may be taken. For example, if a situation is deemed serious enough, computer(s) posing a threat will be blocked from network access. (The campus "Guidelines and Procedures for Blocking Network Access" specify how the decision to block is made and the procedures involved.)

Key Security Elements

Logical Security:

Computers must have the most recently available and appropriate software security patches, commensurate with the identified level of acceptable risk. For example, installations that allow unrestricted access to resources must be configured with extra care to minimize security risks.

Adequate authentication and authorization functions must be provided, commensurate with appropriate use and the acceptable level of risk.

Attention must be given not only to large systems but also to smaller computers which, if compromised, could constitute a threat to campus or off-campus resources, including computers maintained for a small group or for an individual's own use.

Physical Security:

Appropriate controls must be employed to protect physical access to resources, commensurate with the identified level of acceptable risk. These may range in scope and complexity from extensive security installations to protect a room or facility where server machines are located, to simple measures taken to protect a User's display screen.

Privacy and Confidentiality

Applications must be designed and computers must be used so as to protect the privacy and confidentiality of the various types of electronic data they process, in accordance with applicable laws and policies.

Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when sensitive data is transferred from a well-secured mainframe system to a User's location, adequate security measures must be in place at the destination computer to protect this "downstream data".

Technical staff assigned to ensure the proper functioning and security of University electronic information resources and services are not permitted to search the contents of electronic communications or related transactional information except as provided for in the University of California (UC) Electronic Communications Policy. For example, any scanning of network traffic to detect intrusive activities must follow established campus guidelines or organizational procedures to ensure compliance with laws and policies protecting the privacy of the information.

Compliance with Law and Policy

Campus departments, units, or groups should establish security guidelines, standards, or procedures that refine the provisions of this Policy for specific activities under their purview, in conformance with this Policy and other applicable policies and laws.

Policies that apply to all campus electronic information resource security include, but are not limited to, the UC Electronic Communications Policy and the campus Computer Use Policy. Electronic information resources used in support of University business administration must comply with the provisions of BFB IS-3 and its companion "Implementing IS-3 Electronic Information Security". Federal and state laws prohibit theft or abuse of computers and other electronic resources.

The following activities are specifically prohibited under this Policy:

interfering with, tampering with, or disrupting resources;

intentionally transmitting any computer viruses, worms, or other malicious software;

attempting to access, accessing, or exploiting resources you are not authorized to access;

knowingly enabling inappropriate levels of access or exploitation of resources by others;

downloading sensitive or confidential electronic information/data to computers that are not adequately configured to protect it from unauthorized access;

disclosing any electronic information/data you do not have a right to disclose.

In addition to any possible legal sanctions, violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to Berkeley Campus policies, collective bargaining agreements, codes of conduct, or other instrument governing the individual’s relationship with the University. Recourse to such actions shall be as provided for under the provisions of those instruments.

Resources

Contacts

Questions about this Policy or other campus electronic information resource policies may be directed to the IT Policy Services unit: "itpolicy@berkeley.edu".